Описание
A flaw was found in the vLLM distributed training API. This vulnerability allows remote code execution via unsafe deserialization, which uses pickle.loads() without sanitization.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux AI (RHEL AI) | rhelai1/bootc-amd-rhel9 | Not affected | ||
| Red Hat Enterprise Linux AI (RHEL AI) | rhelai1/bootc-aws-nvidia-rhel9 | Fix deferred | ||
| Red Hat Enterprise Linux AI (RHEL AI) | rhelai1/bootc-azure-amd-rhel9 | Not affected | ||
| Red Hat Enterprise Linux AI (RHEL AI) | rhelai1/bootc-azure-nvidia-rhel9 | Fix deferred | ||
| Red Hat Enterprise Linux AI (RHEL AI) | rhelai1/bootc-gcp-nvidia-rhel9 | Fix deferred | ||
| Red Hat Enterprise Linux AI (RHEL AI) | rhelai1/bootc-ibm-nvidia-rhel9 | Fix deferred | ||
| Red Hat Enterprise Linux AI (RHEL AI) | rhelai1/bootc-intel-rhel9 | Fix deferred | ||
| Red Hat Enterprise Linux AI (RHEL AI) | rhelai1/bootc-nvidia-rhel9 | Fix deferred | ||
| Red Hat Enterprise Linux AI (RHEL AI) | rhelai1/instructlab-amd-rhel9 | Not affected | ||
| Red Hat Enterprise Linux AI (RHEL AI) | rhelai1/instructlab-intel-rhel9 | Fix deferred |
Показывать по
10
Дополнительная информация
Статус:
Low
Дефект:
CWE-502
https://bugzilla.redhat.com/show_bug.cgi?id=2353764vllm: Remote Code Execution by Pickle Deserialization in vllm-project/vllm
2.6 Low
CVSS3
Связанные уязвимости
nvd
10 месяцев назад
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
CVSS3: 9.8
github
10 месяцев назад
vLLM deserialization vulnerability in vllm.distributed.GroupCoordinator.recv_object
2.6 Low
CVSS3